yankees3With Opening Day of baseball season nearly upon us, it’s time again to bring back a “Quick Hits” segment to recap a few noteworthy (but not completely post-worthy) employment law items you might have missed recently.

  • The U.S. Department of Labor released the final version of new “persuader” rules which will become effective April 25, 2016.  The new rules revise the “advice” exemption and will require a larger universe of consultants, lawfirms, and employers to report their labor relations advice and services.  You can find many recaps of the new rule (here and here, for example).  For Connecticut employers, if you haven’t had to worry about “persuader” reporting before (and don’t know what it is), it’s not likely to change things much, though for law firms and consultants, it may have a more significant impact.
  • Not every U.S. Supreme Court case is a big one.  The latest example of that is the Tyson Foods, Inc. v. Bouaphakeo et al. case that was issued last week. In that case, the court ruled that employees could use representative evidence to establish liability and damages for class certification purposes in a donning and doffing case. As another blog post stated sufficiently, this decision allowed employees to rely on a “time study conducted on a sample of class members to calculate an average donning/doffing time, which is then extrapolated to each member of the class — even if the actual time spent on the activity in question varies dramatically among employees and even if some of the class members failed to prove damages at all based on that time study.”  For most employers, however, the decision will have limited utility. Donning and doffing cases are, for example, fairly rare.
  • An interesting case up for oral argument at the U.S. Supreme Court today looks at the limited circumstances in which an employer can recover attorneys’ fees as a “prevailing party” in a Title VII suit.  The SCOTUSBlog has more on this case here.
  • Tax season has renewed fears regarding the privacy of W-2 forms.  A spear-phising e-mail scheme has been making the rounds of late, as this post reminds us.

 

Today, cross-posted on the LXBN site, I reflected on the biggest legal developments of the first half of the decade.  I am reposting it here, but my sincere thanks to Lexblog for the support it has given me over the past 8 1/2 years and for the opportunity to provide some insight on its site.

yearsWhen I was asked by LexBlog to provide insight into my most significant story I’ve written about in the first half of this decade (and wondering if it started on January 1, 2010 or 2011?), I first thought about looking at some statistics of pages visited on my blog.

Turns out that my most read story was….a blurb on what the IRS reimbursement rate for business travel was in 2010. (Followed by stories on the rates for 2015, 2011 and 2012.).

So, let’s just say that blogging statistics can be a bit deceiving. Though, one other statistic really stands out: There’s been a huge rise in viewing the blog on both social media and on mobile phones.

And that, I think leads me what I think is the big overall story of the 2010s: The rise of social media in employment law.

This is, of course, not new. Back in 2012, I indicated that the biggest story then was the rise of social media.

That has only been amplified in the following years.

For the first few years of the 2010s, it seemed that every other presentation I did was on social media. First, it was to educate employers on what social media was. But then beyond that, was the second layer — how was social media impacting the workforce.  In 2012, I helped plan WESFACCA’s “Day of Social Media” to help educate in-house lawyers on the perils of social media.

My discussions ranged from the now seemingly quaint “Facebook firing” case of November 2010 to the September 2013 case where a Facebook “like” was deemed a protected activity to the new 2015 Connecticut law restricting employer access to personal social media accounts.

But I do think the tide is turning a bit.  Social media has become so mainstream that it is now just part of the myriad of things human resources has to keep track of.  People are less shocked by a Facebook post and employees have become smarter about their use of privacy settings too.

Sure, people still say stupid things on social media and they are still getting fired for it (appropriately, in some instances) but employers are now able to keep some perspective about the whole thing too.

So, in five years (and heaven help all of us if I’m still writing this blog in five years), I think it’s unlikely to still be dominating posts like it did for the first half.

What will take it’s place? My wager is on data privacy.  Yes, it’s a bit self-serving of me to predict this in light of the presentation we did this month on this very topic.  But judging by the interest we’ve been getting in the subject, I think we’re on to something.

Employee data is just one aspect of this.  Rather, employers who store information on a computer are subject to attempts at hacking and theft on a daily basis.  Plus, employees who transmit information may do so without encrypting the information — leaving the data open to prying eyes.

I don’t know where it all will lead, but I will say that if you aren’t doing everything you can to ensure the safety of the data on your networks, you probably aren’t doing enough.

shrmprogramI’m pleased to announce an upcoming program that my firm, Shipman & Goodwin and the Connecticut State Council of SHRM are producing next month and that I’ve been planning for several months.

The program, entitled “Data Privacy & Human Resources” will be a unique endeavor for us.  First, we are planning on doing it in both our Hartford & Stamford offices at the same time.  Speakers will be in both locations (though obviously not the SAME speakers, for those grammar buffs).

On top of that, we will be broadcasting it live via a webinar.

What could go wrong?

Hopefully, nothing, because really, it should be very informative.  It’s scheduled for the morning of December 11, 2015.

The first hour will focus on the key things employers need to know about the revisions to the state’s new data privacy law. The second hour will talk about the very latest in human resources including the current status of the proposed overtime regulations and the state’s new social media privacy law.

It’s going to be fast-paced and informative. But space is definitely limited and within the first 48 hours of our e-mail alert, we’re already halfway to our in-person room capacity.

If you’re interested in attending, check out this link and register online. The cost is just $35, but this includes breakfast and the materials. (If you’re watching via webinar, breakfast is on your own — naturally.)

And if you’d like to see the flyer, you can download it here.

lock1Last week, I had the opportunity to speak to the Corporate Compliance Forum for the Connecticut Community Providers Association. My thanks to Gayle Wintjen, General Counsel of Oak Hill, for the invitation to speak.

The topic was a familiar one to this blog — Data Privacy.  In the session, we tackled the new Connecticut law that should be keeping at least some employers up all night figuring things out.

As I said in my talk, employers that have had to adopt HIPAA compliance rules should be in a good shape to get into compliance with Connecticut law. Things like two-factor authentication aren’t nearly as intimidating when you’ve already adopted it for other areas.

Now, the rules don’t need to be adopted by everyone. But those employers who do business with the state of Connecticut are typically covered.

The Privacy and Data Protection Group of my firm put together a FAQ to inform current and potential state contractors of Connecticut’s data privacy and security requirements and to answer the most commonly asked questions about applicable Connecticut law and compliance with it. This article also includes our recommendations for analyzing compliance under applicable Connecticut law and, if necessary, developing a plan to satisfy the pertinent legal requirements.

You can download it free here.

For human resources, I think this is one of the more complicated times to be in HR. Between privacy, discrimination laws, wage & hour laws alone, there are many issues to keep on top of. Make sure data privacy is on your list of things to pay attention to for this year.

And stay tuned for more information on an upcoming program in November.

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.

My colleague, Marc Herman, returns today to talk about a subject that doesn’t get a lot of attention but may as the technology makes genetic information more accessible.  But just because it’s more accessible, doesn’t make it right. Particularly if you suspect something “smelly” in your workplace. 

hermanIt’s not often that it comes up, but at a recent presentation, I discussed the implications of the Genetic Information Nondiscrimination Act, 2008––“GINA”––with the audience.

A slight digression is necessary: GINA, a federal law, prohibits employers from making any employment-based decision (such as hiring, firing, disciplining, and promoting) based upon one’s genetic make-up. What is more, in an effort to preempt such conduct, GINA significantly restricts employers’ ability to obtain genetic information about employees and job applicants.

Back to the presentation: many members of my audience, despite hyperbolic, yet entertaining, fictional hypotheticals, found it incredibly difficult to imagine a real-life situation whereby an employer would actually violate GINA––my audience happened to be sticklers for realism.

Slightly disheartened that my hypotheticals lacked the believability factor of a John Grisham novel, I set out to locate a real-life GINA case that perfectly captured the substance of GINA, and exemplified the potential consequences of a violation. . . today, my quest was complete.

(Editor’s note: Eric Meyer of The Employer Handbook appears to be one of the first to talk about the case but it’s too good to pass up.)

Jack Lowe and Dennis Reynolds sued their Georgia employer––Atlas Logistics Group Retail Services, LLC (“Atlas”)––for alleged violations of GINA. See Lowe v. Atlas Logistics Group Retail Services, LLC .

The plaintiffs alleged that they were coerced, under the threat of discipline, into submitting cheek-swabs to assist Atlas in identifying a particular employee.  Why?

Because the employer suspected an employee was regularly, and shamelessly, defecating in one of Atlas’s shipping warehouses. According to the employer, the saliva sample was necessary to help identify fecal matter and track down the serial offender.

(The best footnote is from the court: “Apparently, this problem is not as rare as one might imagine.”)

After suing their employer for GINA violations, a Georgia Federal District Court concluded that the cheek-swab constituted a “genetic test” in violation of GINA; and a federal jury awarded the plaintiffs over $2,000,000.

So there you have it––a real-life case that highlights the serious implications stemming from a GINA violation.

. . . and, in case you’re wondering, neither of the plaintiffs was the serial defecator.

(Editor’s note again: Amazingly, this isn’t the first time “poop” has come up on the blog.  Specifically, you may recall the case from April 2008, in which an employee was given “The Book of Poop”.

Company data breaches are becoming far too common.  Today, my colleague Jarad Lucan talks about the steps company’s need to take, both pre and post-breach.  If your company has a unionized workforce, you may need to adhere to additional duties.

As we have reported in the past (the very recent past), it seems like there is a new headline regarding a company data breach almost daily (at the very least, weekly).  For instance, this week Coca-Cola Co. was hit with a putative class action in federal court contending that it failed to properly protect employee information contained on 55 laptops that were stolen between 2007 and 2013.  According to the complaint, the information contained on these laptops included personal identifying, motor vehicle, and financial information about employees that was subsequently used by the thieves to make fraudulent purchases, among other things.  The complaint also alleges that Coca-Cola failed to notify effected employees promptly of the data breach.  In the past, we have also identified four things a company can do before an employee data breach occurs including, establishing an implementing a written data breach response policy, conducting a review of systems and data to understand where confidential information resides, conducting regular risk assessments for the company, vendors and business partners, and establishing frequent privacy and security awareness trainings.

In addition to pre-breach steps a company should take, there are numerous post-breach steps that a company in Connecticut must take (if you have employees out-of-state, check those state requirements), including notifying employees and the Attorney General’s office of the breach, if the breach involved employees’ financial or motor vehicle information and/or social security numbers.  Employers with unionized workforces may also have an additional requirement; bargaining over the impact of such a breach.

You may have heard that hackers recently broke into some of the Postal Services computer systems and may have stolen sensitive date on more than  800,000 postal employees.  What you may not have heard is that the American Postal Workers Union has filed a charge with the National Labor Relations Board accusing the Postal Services of keeping the union in the dark about that breach.  According to the charge, “[t]he Postal Service did not give the Union advanced notice [prior to the official November 10th announcement] that would enable it to negotiate over the impacts and effects of the data breach on employees.”  Essentially, the union is claiming that it should have been kept in the loop regarding the breach as soon as the Postal Service knew about it, and that the Postal Services should have sat down with the union to discuss, among other things, the Postal Services’ response to the breach to the extent that response effected the unionized workforce.  In fact, it appears that the union also takes issue with the Postal Services’ offer to provide free monitoring services to the effected employees; a common position taken by a company after a data breach.  Indeed, the charge goes on to allege that “the Postal Service unilaterally changed wages, hours and working conditions by, among other things, providing free monitoring services to employees.”  As a remedy, the union is seeking injunctive relief in this case.

It is too early to determine how the NLRB will respond to this charge.  The NLRB may dismiss it, or it may decide that it is has enough teeth to issue a formal complaint.  Whatever the NLRB does, given the prevalence of data breaches effecting companies, this is an issue to keep track of if you employ a unionized workforce.  We will certainly update you on any developments.

Your employees are probably NOT using this to record anymore. A mere smartphone will do.

On Friday, I talked to over 150 attendees of our Labor & Employment seminar about workplace surveillance and monitoring.

Some of the discussion focused on whether employers can do the recording; but what about employees?

This is not some theoretical question. More and more employees are recording conversations at their workplaces on smartphones, according to recent articles.

If you do a search on the Internet, you’re likely to discover that Connecticut is a “two-party” state when it comes to recording telephone conversations.

What does that mean? In plain English, it means that both parties to a phone conversation must consent to the recording for it to be legal.  You can read the law (Conn. Gen. Stat. Sec. 52-570d) for yourself here.

Fair enough.

But if you read these materials, you’ll also see that the vast majority of them say that Connecticut is a two-party statement when it comes to all communications.

Unfortunately, don’t believe everything you read on the Internet.

For ordinary, in-person communications, Connecticut is a one-party state — meaning that only one party’s consent is needed to record a conversation.  (You can find the law regarding eavesdropping at Conn. Gen. Stat. Sec. 53a-189.) 

What does this mean in the workplace? It means that your employees can legally record conversations with their bosses and then try to use those communications as evidence to prove a discrimination claim or another employment-related claim.

Employers can set up reasonable rules in the workplace prohibiting the taping of conversations and tell employees that they cannot record it, but that only means that the records violate theemployer’s rules, not Connecticut law.

And what this also means is that the employee cannot record a conversation between two other people; one party must always consent to the conversation.

The NLRB has spoken out on whether rules on workplace recordings violate federal labor law, which I’ve covered in a prior post.

The takeaway for employers, though, in Connecticut is a simpler one: Assume that your conversations with your employees can be recorded.

Are you comfortable about what has transpired if those conversations ever get leaked to TMZ.com? If not, then use this post a wake-up call.

Of course, there are other laws that may apply as well and it’s questionable whether an claim for invasion of privacy might be able to proceed, so before you tackle this subject, talk with your preferred counsel about all the implications on a complex subject.